GHSA-h66p-m766-33fv
Suggest an improvement- Source
- https://github.com/advisories/GHSA-h66p-m766-33fv
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-h66p-m766-33fv/GHSA-h66p-m766-33fv.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-h66p-m766-33fv
- Aliases
- Published
- 2022-05-13T01:48:37Z
- Modified
- 2023-11-08T03:59:37.971848Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- AWS CodeDeploy Plugin stored AWS Secret Key in plain text
- Details
-
Jenkins project Jenkins AWS CodeDeploy Plugin version 1.19 and earlier contains a Insufficiently Protected Credentials vulnerability in AWSCodeDeployPublisher.java that can result in Credentials Disclosure. This attack appears to be exploitable via local file access.
AWS CodeDeploy Plugin 1.20 and newer stores the AWS Secret Key encrypted in the configuration files on disk and no longer transfers it to users viewing the configuration form in plain text. Existing jobs need to have their configuration saved for existing plain text secret keys to be overwritten.
- Database specific
{ "nvd_published_at": "2018-07-09T13:29:00Z", "github_reviewed_at": "2022-07-27T20:57:55Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-522" ] }- References
Affected packages
Maven / com.amazonaws:codedeploy
Package
- Name
- com.amazonaws:codedeploy
- View open source insights on deps.dev
- Purl
- pkg:maven/com.amazonaws/codedeploy